Cybercrime: The police response

Detective Superintendent Andrew Gould, the National Cybercrime Programme Lead and former head of the Met’s Cybercrime Unit, talks about the threat landscape and what the police are doing to combat it.

The threat of cybercrime is ever present. It seems not a day goes by without some kind of data breach or cyber threat making the news. But who is attacking us? What are they doing and what are the police doing to counter their threat?

The many faces of cybercrime

The threat from hostile state actors is well known and significant. States with substantial resources and highly educated, technically sophisticated populations, and who use cyber attacks to support wider policy objectives, pose a real threat to the UK, particularly when we consider how networked we are and therefore potentially vulnerable in the modern, globally connected world. Publicly known examples of alleged hostile state action include Russian interference in the US election and North Korea’s WannaCry attack that so affected the NHS.

Outside of government and the critical national infrastructure it is unlikely that an organisation will be targeted by state action. The biggest and most likely threat to your organisation is from organised crime groups. Such groups can be highly capable themselves and are motivated by the desire for financial gain often through stealing data, money or intellectual property.

Hacktivists who use hacking to make a political point or to publicly embarrass governments or companies continue to pose a threat. Whilst they are far fewer in number, if you are an organisation in their sights, the damage hacking collectives such as Anonymous could do could be substantial.

The risk from cyber terrorists is currently assessed to be low. While they no doubt have the intent to cause harm, they lack significant capability. But that could change quickly. It would only take a few extremists with advanced computing skills to increase that threat substantially.

Next are our kiddie scripters. While they may be relatively unskilled, given the lack of effective cyber security we still see in so many organisations, it is no surprise that these young hackers are still able to occasionally cause damage of the kind experienced a few years ago by TalkTalk.

Finally, we see a perennial insider threat. This threat can be deliberate, from a disgruntled, corrupted or criminal employee. Or it can be unwitting, when a member of staff fails to identify a cybercrime threat and accidentally enables or falls prey to an attack.

The criminal marketplace itself is also changing. We see lower barriers to entry than ever before. Hacking and stressor tools are readily available and easy to download and use with video tutorials from websites such as YouTube. Hacking is not the preserve of the highly skilled but can be undertaken with minimal skill and preparation by almost anybody with an internet connection. We also see a criminal tools-as-a-service model with a global marketplace for skills or exploits available to rent or buy, often for nominal sums.

At the other end of the spectrum, high-end capability, traditionally the preserve of sovereign states, has fallen into criminal hands and is now more widely available. The Shadowbrokers group allegedly obtained leaked US National Security Agency tools and one of those exploits, Eternal Blue, was used to help deliver the WannaCry ransomware payload.

It is clear that the cybercrime threat is more diverse, larger and technically challenging than ever before.

Criminal motives and objectives

The most common threat remains from ransomware with new strains or variations on the old emerging all the time. Strong perimeter protection, staff awareness and effective, tried and tested backups remain the best defence. If infected, you may be lucky enough to find the private key to decrypt your files on The No More Ransomware website.

Large scale data breaches such as those reported by Yahoo, Uber and Equifax remain a daily occurrence with stolen data often used to facilitate other crimes. The majority of breaches are still due to well recognised vulnerabilities. A lack of patching continues to make organisations vulnerable. Breaches are often followed by an extortion demand for Bitcoin. Law enforcement has had good success locating and arresting cybercriminals for extortion in the UK and abroad so it is strongly recommended you call the police if this happens to you. Check the Have I Been Pwned website to identify any of your own organisations credentials that are out there.

Supply chain compromise is an emerging and growing threat. Cybercriminals exploit the opportunity to attack organisations through third parties. Last year’s NotPetya ransomware attack was undertaken through the compromise of a popular Ukrainian accounting app. This attack caused huge disruption and cost the shipping company Maersk $300m alone. IT service providers are a particularly valuable target. These attacks are particularly hard to defend against as they come from trusted third parties.

Distributed denial of service attacks, where a website or other service is overwhelmed with demand causing a loss of the service, also continue in significant volume. These are often used as a distraction to cover for a network intrusion. The relative importance of 24/7 customer and staff access to different company services will dictate how much you invest in mitigation.

Less technically sophisticated, but far greater in volume is business email compromise, often leading to CEO or mandate fraud. Cybercriminals use readily available tools to spoof email addresses and combine this with increasingly thorough research on social media to trick employees into sending them money - often substantial sums. A lack of effective in-house scrutiny and authorisation processes has seen companies lose millions in the click of a mouse.

The law enforcement response

The government has recognised the threat from cybercrime as a Tier 1 national security threat and is investing £1.9bn to tackle it through the UK’s excellent National Cyber Security Strategy and Programme. For law enforcement, new structures, additional resources and new capacity and capability have led to substantial improvements in tackling the threat at the international, national and regional level.

There are excellent joint working relationships between GCHQ’s National Cyber Security Centre, the National Crime Agency’s National Cybercrime Unit, the Met Police and the Regional Organised Crime Units and the fostering of a genuine ‘Team CyberUK’ approach. This approach is bearing fruit as it tackles organised cybercrime at the highest level.

What has been missing up until now is the local policing response and a strong victim focus. For most forces cybercrime has not been a priority and they lack officers and staff with the skills to investigate or advise the public. So, these crimes have been largely ignored. But policing is changing.

In October 2017 the National Police Chiefs’ Council agreed forces will establish cybercrime units in every force in England and Wales. The government has made money available to help fund these teams at the local level. This initiative will deliver specialist cybercrime units to provide local delivery of the cybercrime response.

The focus is on an improved victim experience, an effective investigative response, targeted local cybercrime prevention messaging and work to identify and divert young people vulnerable to cybercrime.

Forces will also work with businesses to help develop effective incident response plans and test them.

They will also become centres of excellence for the wider force, such as in the Dark Web and cryptocurrencies, helping mainstream cyber skills and knowledge into other areas of policing and the wider workforce.

Policing is committed to improving its response to cybercrime and providing a more victim focused service to victims. With funding from government these new force teams will be in place by April next year. By providing a truly local to global response we can reduce cybercrime and bring more cybercriminals to justice.